LOGbinder Support

4. Monitoring LOGbinder for Exchange

Getting Started

Part 1: Installing LOGbinder for Exchange
Part 2: Configuring LOGbinder for Exchange
Part 3: Mailbox Audit Policy Management
Part 5: Appendix

Monitoring LOGbinder for Exchange

When installing, configuring, and running LOGbinder for Exchange, the software writes diagnostic events to the Windows Application Event Log. Most of these will be from the source "LOGbndSE" and the category "LOGbinder." You may use the Windows Event Viewer to examine these events.

During Installation and Configuration

During installation and configuration, you will find these entries:

  • After installation, there may be an entry from the source MsiInstaller: "Product: LOGbinder EX -- Installation completed successfully."
  • When the configuration of LOGbinder for Exchange changes, you will see one or more entries entitled "LOGbinder settings changed." See Appendix C: Diagnostic Events:“553– LOGbinder settings changed” for information about these events.
  • When the service starts, there may be an entry from the source LOGbinder EX: "Service started successfully." (Entries are also written when the service is stopped.)

You can monitor these events to ensure that LOGbinder for Exchange continues to be configured properly, and that unauthorized changes do not occur.

After configuring LOGbinder for Exchange and starting the service, it automatically performs a check to ensure that LOGbinder's settings are valid and that the account running the Windows service has sufficient authority. If there is a problem, the LOGbinder for Exchange service will not start and a message will be presented to the user. In most cases, the details of the problem are written to the Application log. Common problems include:

  • Input/output not configured properly. See the previous section “Configuring LOGbinder for Exchange” for more information.
  • Insufficient authority. If the service account does not have adequate authority, then the service will not run. An entry is written to the Application log. See Appendix C: Diagnostic Events“556– LOGbinder insufficient authority” for more details. Some of the common missing permissions include:
    • Account does not have authority to log on as a Windows service
    • Account does not have necessary permissions in Exchange.
    • The account does not have authority to write to the Security event log. (If this output destination has not been selected, then it is not necessary to grant this permission.)
  • License invalid. If the license is not valid or has expired, then the LOGbinder for Exchange service will not run. An entry may be written to the Application log. See Appendix C: Diagnostic Events:“557– License for LOGbinder invalid” for details.
  • Other errors will be found in entries entitled "LOGbinder error." See Appendix C:Diagnostic Events:“555– LOGbinder error” for more information.

If any of these errors are encountered, the LOGbinder for Exchange service will not run.

While LOGbinder for Exchange is Running

While LOGbinder for Exchange is running, you will see information entries in the Application log as follows:

  • Entries 'exported' from Exchange. For each Exchange server being monitored, this message indicates the number of audit entries that LOGbinder for Exchange has processed.
  • Entries 'imported' into the Windows event log. This indicates that the audit entries have been placed in the enabled output formats. There will be one message event if multiple output formats have been selected (i.e. you have selected both Windows Security Log and Windows Event Log as output formats). The 'export'/'import' entries are complementary: there should be a corresponding 'import' entry for each 'export.'

These log entries are informational in nature. Generally no action is required. If more entries are being processed than what appear in the event logs or in your log management solution, it could be that the log size is too small and entries are being overwritten. See Appendix C: Diagnostic Events“551– LOGbinder agent successful” for more information on these events.

If LOGbinder for Exchange has an error, an entry will be created in the Application log. If permissions are removed, or if the license expires, you may receive a "556– LOGbinder insufficient authority" or "557– License for LOGbinder invalid" error, which are explained above. Other errors will be entitled "555 – LOGbinder error". If you cannot resolve the problem, please submit the issue to the LOGbinder support team.

On a scale of 1-5, please rate the helpfulness of this article

Not Helpful
Very Helpful
Optionally provide private feedback to help us improve this article...

Thank you for your feedback!

Still have questions - Submit a new ticket